On 04/05/2012 Rob Weir wrote:
> And Apache /dist serving the hashes for verification
This is surely OK, but the project policy at OpenOffice.org was to
additionally send an e-mail to a public list (it would be ooo-dev with
the current settings) with all checksums. While it may sound odd, it
makes sense since the list is publicly archived in several places, so if
the website is hacked (or simply if its revision history is lost due to
migration, like it recently happened for openoffice.org) it is always
possible to verify that an OpenOffice download is genuine.
Regards,
Andrea.